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Abstract 

In monitoring applications, recent data is more important than distant data. How does this affect 
privacy of data analysis? We study a general class of data analyses — computing predicate sums — 
with privacy. Formally, we study the problem of estimating predicate sums privately, for sliding windows 
(and other well-known decay models of data, i.e. exponential and polynomial decay). We extend the 
recently proposed continual privacy model of Dwork et al. [DPNRIO] . We present algorithms for decayed 
sum which are e-differentially private, and are accurate. For window and exponential decay sums, our 
algorithms are accurate up to additive 1/e and polylog terms in the range of the computed function; for 
polynomial decay sums which are technically more challenging because partial solutions do not compose 
easily, our algorithms incur additional relative error. Further, we show lower bounds, tight within polylog 
factors and tight with respect to the dependence on the probability of error. 

1 Introduction 

Any nontrivial physical, hardware or software system has a dashboard continually observing the system 
variables, and updating various measurements. In such applications, data arrives over time, and we need 
to continually output the result of some analysis / for each time instant j on all data seen thus far. This 
challenges privacy of analysis because the same function is computed on several deltas of the data and 
the collection of these function values can potentially leak information. Recently, the notion of differential 
privacy was adopted to address this challenge [DPNRlOl ICSSlOa] , and we extend that study. 

pDPNRlO , CSSlOaj identified the problem of computing the running sum of a series of 0/1 updates 
as an important technical primitive, formulated differential privacy of computing these running sums, and 
presented upper and lower bounds on accuracy of e-differentially private algorithms for computing running 
sums. They showed that an additive accuracy of O(ilog'^r) with constant probability is possible for the 
running sums problem, and that r2(logr) additive error was necessary to answer privately all running sum 
queries for all time steps j £ 

Power of Running Sums. The sums problem captures many analyses by applying a suitable predicate to 
the data items that map them to 0/1. For example, at time j, say data item Dj = {uj,mj) is the user ID 
Uj and the name of the movie rrij watched in an online service by Uj at that time. A natural predicate is 
Vm{Dj) = 1 if mj = m and otherwise; the running sum with this predicate counts the number of user IDs 
that watched a particular film to. Another natural predicate is VuiDj) = I ii Uj = u and otherwise; this 
running sum counts the number of movies watched by a user u. The predicates can be different for different 
items. E.g., Vj^u{Dj) = 1 if Uj = u and j G [9,17] will filter movies watched by user u during business 
hours 9 AM to 5 PM. Even more generally, V may be a machine learning based classification routine such 
as whether a click by any user from a certain IP address on an Internet ad is a spam or not, and the running 
sum will count the total number of spam clicks from the given IP address. ■ 

Our point of departure from prior work is that in reality, monitoring applications emphasize recent data 
more than data long past. For example, monitoring applications typically consider a "window"' of continual 
observations such as, last T time units, or last W updates. More generally, they discount items based on 
how far they are in the past, and analyze decayed data. The commonly useful decay models are exponential 
and polynomial decays |DGIM02l [CSUS] . 



Our results. Motivated by this, we consider differential privacy of continual observations over windows 
and decayed data. At each time step i the algorithm receives a bit Xi] at each time step j, the algorithm is 
required to report an approximation F{xi, . . . ,Xj) to a function F{xi, . . . , Xj) and be e-differentially private 
over the entire data seen thus far. We use the notion of ((5, 7)-utility, satisfied by algorithms that at any 
time step j output a value F{xi, . . . ,Xj) which is within 5 absolute error from F{xi, . . . ,Xj) with probability 
1 — 7. Below we summarize our results for sufficiently small 7 (results for larger 7 can be found in the body 
of the paper): 

• ( Window Sum) The window sum problem with window size W requires estimating F^ {j, W) = X]i=j- w+i -^^ 
for each j. Further, the whole sequence i^-^, of outputs, for all j, should be e-differentially private. 

We present an algorithm that achieves 7)-utility for 6 = O(MogW^logi) (in the regime logW^ > 
log i ). While a window sum can be reduced to computing the difference of two running sums, existing 
running sum algorithms [DPNRlOl ICSSlOaj achieve error 5 ~ 8(-i logTlog i), which can be much 
larger than the range W of F^, and therefore, as bad as the trivial algorithm that outputs a fixed value 
independently of the input. 

We also present a lower bound of fi(min{W/2, i log i}). Note that the dependence on the error 
probability 7 is optimal. The W/2 term in the lower bound is unavoidable, as the trivial algorithm 
which outputs W/2 at every time step achieves additive approximation W/2 and is perfectly private. 
This lower bound generalizes a previous lower for the running sum problem |DPNR10] . 

• (Exponential Decay) The exponential decay sum problem is to estimate Fe{j,a) = Xia^~'^ accu- 
rately, while the whole sequence Fe of outputs, for all j, should be e-differcntially private. 

We present an algorithm that achieves ((5, 7)-utility with S = 0(7 log log i). We also present a 
lower bound of ^min^Y^^, i2S(iZ2)|y Once again, the dependence on the error probability 7 is 
optimal. Unlike F^,, Fg at each time step depends on the entire sequence of updates; nevertheless, our 
algorithm achieves bounded error, polylogarithmic in the range of F^. 

• (Polynomial Decay) The polynomial decay sum problem is to estimate Fp(j,c) ~ X]i=i (j-i+i)^ accu- 
rately, while the whole sequence Fp of outputs, for all j, should be e-differentially private. 

We present an algorithm that for each j returns (1 ± (3)Fp(j, c) ± (^-^ log log ^ with probability 

1 — 7. Wc also present a lower bound of f2 ^1 — jpgc-i^i/^-) ^ against purely additive error. Polynomial 
decay presents a greater challenge than window sums or exponential decay since there is no direct way 
to combine a polynomial decay sum over an interval [a, b] and [fe, c] into a polynomial decay sum over 
[a,c\. We develop a general technique that works on a large class of decay sum functions (including 
polynomial decay) and reduces the problem of estimating the decay sum to keeping multiple window 
sums in parallel. The technique results in a bi-criteria approximation, because of which our lower and 
upper bounds are incomparable for this problem. 

In comparison with the simple randomized response strategy |War65| (i.e. with probability 1/2 — c/2 
change update to 1 — Xi and keep exact statistics of the changed input), our algorithms achieve exponen- 
tially smaller additive error: randomized response leads to estimators with standard deviation proportional 
to the energy of the decay function, while our estimators have standard deviation polylogarithmic in the 
energy. Technically, 

• Our algorithms keep dyadic tree data structures as is natural and also used in |DPNR10l ICSSlOaj and 
elsewhere. However, in order to provide estimates with error polylogarithmic in the range of the decay 
function, we need to treat the dyadic tree data structure in non-uniform manner: either adding different 
noise at different nodes, or weighing the contribution of an update to different nodes differently, which 
is our technical contribution. 

• We derive all our lower bounds from a common framework, that is inspired by work on differentially 
private combinatorial optimization. This extends prior work in two ways: they apply to decay sum 
problems that have not been considered before, and they apply against the weaker (S, 7)-utility guar- 
antee (rather than requiring that all queries are accurate, as in [DPNRIO] . 
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Detailed discussion of prior work. The problem of tracking statistics on dynamic data wliile preserving 
privacy under continual observation is introduced in jPPNRlO] (a preliminary version was presented in 
an invited talk by Dwork [DwolOj '). In |DPNR10] . an algorithm private under continual observation is 
presented for the running sum problem. For any fixed time step, their algorithm achieves additive error 
of 0{-^\og^'^ T) with constant probability, where T is an upper bound on the maximum size of the input, 
known to the algorithm. Independently, [CSSlOa] presented a continually private algorithm for the running 
sum problem that at any step j, guarantees an additive error of 0(i log^'^ j) with constant probability. This 
matches |DPNR10j . while not knowing T. 

The algorithm of [CSSlOaj is related to our work: our algorithm for window sum reduces to their 
algorithm for running sum when the size of the window coincides with the size of the input. However, if their 
algorithm or the algorithm in |DPNR10l ICSSlObj is used directly to compute window sums, then the error 
at time j will be on the order of log^'^ j and for large j will overcome the window size. Further, algorithms 
in ICSSlOallDPNRTOl ICSS10b| do not work for decayed sums. 

|DPNR10] shows how to transform a private streaming algorithm that satisfies a monotonicity property 
to a private, continual algorithm. However, estimating decayed sums does not have the monotonicity 
property. 

2 Notation and Preliminaries 

Online Data Model We consider online problems with binary input: at each time step i the algorithm 
receives input Xi € [a, &]; and is required to report an approximation F{xi, . . . , Xi) to a function F{xi, . . . , Xi). 
Wc present oue upper bounds for a = 0,b = 1. For general a, b, our absolute error bounds scale linearly in 
b ~ a. 

Decayed Sum Problems The functions F we arc interested in approximating are decayed sum functions. 
Consider a non-increasing function g : N — > such that ^(0) = 1. The decayed sum induced by g is the 
function F{j) = F(xi, . . . ,Xj) = J2i=i ^i9U ~ I-^-: F is the convolution of the input and a non- increasing 
function g. The decayed sum problems we consider are defined below 

• when g{i) — IVi, the running sum problem (considered in [CSSlOai IDwolOi IDPNRIO] ): Fs{j) — 

• when g{i) — the window sum problem (with window size W): F^{j, W) — X]i=j-w+i •^i- To 
simplify notation, in the above definition we assume that Xi—Q for all i < 0. 

• when g{i) = a* (a < 1), the exponential decay sum problem: Fe{j, a) = X]i=i Xia^~'' . 

• when g{i) = (i + 1)^*^ (c > 1), the polynomial decay sum problem: Fp(j,c) = (j-^+i)^ • 

The last three problems have not been considered in the differential privacy literature before, and specifically 
not in the continual observation model. The problems of keeping event counts and other statistics over 
windows |DGIM02] and keeping decayed (in particular exponential and polynomial decay) sums |CS03| have 
been studied in the field of small space streaming algorithms. 

Differential Privacy We use the standard definition of difl:erential privacy, applied to the online data 
model: 

Definition 1 ( |DMNS06| IDPNR10| ). Let A be a randomized online algorithm that at time step j outputs 
F{xi, . . . ,Xj) A satisfies e-difFerential privacy if for all T G Z, for all measurable subsets S C , all 

possible inputs Xi, . . . ,xt , all j and all x'^ (where probability is over the coin throws of A) 

Pr[(F(xi, . . . ,x„ . . .,Xfe))Li e ^] < e^Pr[(F(xi, . . . . .. ,Xfc))Li e S]. 

This is the basic definition of differential privacy as in |DMNS06] . but with the modification that the 
algorithm receives the input online and produces output at every step, and the whole sequence of outputs is 



3 



T = T{L. U) 




Figure 1: Dyadic tree data structure. In this example, m = L + 5 is shown in a blue node, u' = L + 3, and the 
prefix sum s{u, T) ~ cl,l+3 + cl+a,l+5 is obtained by adding the counters at the two green nodes [L, L + 3] 
and [i + 4, L + 5]. 



available to an adversary. This model of privacy for online algorithms operating on time series data, termed 
privacy under continual observation, was introduced by jPwolOl IDPNRIO] . 

We use the following basic facts about differential privacy. The first theorem gives a simple way to 
achieve differential privacy for algorithms with numerical output, based on adding random noise scaled 
according to the sensitivity of the statistic being computed. The second fact is that composing multiple 
privacy mechanisms results in smooth privacy loss. 

Theorem 1 ([DMNS06]). For a function F : [a, 6]^ R'^, let the sensitivity of F, Sp be the smallest real 
number that satisfies Vxi, ...,XT,yj G [T],yxj 6 [a,b] : 

||i^(.Ti, . ..,Xj,.. .,Xt) - F{xi, ...,x'j,.. . ,XT)|jl < Sf 

Then an algorithm that on input xi, . . . ,xt outputs F{xi, . . . , xt) = F[xi, . . . , xt) + Lap(S'F/e)'' satisfies 
e- differential privacy, where Lap(A)'' is a sample of d independent Laplace random variables with mean 
and scale parameter A. 

Theorem 2 ( |DMNS06j ). Let algorithm Ai satisfy ei-differential privacy and algorithm A2 satisfy £2- 
differential privacy. Then an algorithm A that on input x — {xi, . . . ,xt} outputs ^(^i(x), ^2(x)) satisfies 
(si + £2) -differential privacy. 

Utility We adopt the following, commonly used notion of utility: 

Definition 2. Let A be a randomized online algorithm that at time step j outputs Fixi, . . . ,Xj) G M. Then, 
A achieves {6, j)-utility with respect to a function F , if for all j, Pr[|i^(xi, . . . , xj) — F{xi, . . . , Xj)\ > S] < j. 

Dyadic Tree Datastructure We repeatedly use the following dyadic tree data structure which is common 
in algorithmics. This data structure is a balanced augmented search tree and variants of it are common in 
much algorithmic work. 

Let T{L, U) be a complete binary tree of height h = log(C/ — L + 1) + 1 (assuming, for simplicity, that 
U ~ L + 1 is a power of 2). The leaves of the tree are indexed by the integers L, L + 1, . . . ,U , and if two 
sibling nodes are indexed by the intervals and [li = ui + 1,^2], then their parent is indexed by 

[/i,M2]. Note that at level k of the tree (the leaves being at level 1), the indexing intervals have the form 
[L+ {i — 1)2*''"^ , L + i2^"^ — 1] for i G [1, 2''"'^] . We call a node whose indexing interval precedes its sibling's 
indexing interval a left node; the sibling of a left node is a right node. With each node we associate a variable: 
for the node indexed by [/, u], the associated variable is denoted ciu- Given a tree T = T{L, U) and a prefix 
interval [L,u\, we define function s{u,T) recursively: 
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• if [i, u] indexes a node in T, then s{u,T) = c^u] 

• otherwise, let u' be the largest integer less than u such that [L, u'] indexes some node in T; equivalently, 
u' is the largest integer less than u that can be written as u' = i + 2^~^ — 1. Let T' be the subtree of 
T rooted at the sibling of [L, u'] (indexed by [it' + 1, u' + 2'^^^]); then s(u, T) = ci^^' + T'). 

The following lemma is essential to our analysis and can be easily proved by induction. 

Lemma 1. There exist r < [log(M— L+l)] integers ui, . ..u^. such that s{u,T) = CL«i+X]fe=i "^"fc+ii^fc+i • 
Furthermore, all nodes indexed by [uk + l,Uk+i\ are left nodes in T, and each node is in a different level of 

T. 

Proof. The integers ui, . . . ,Ur are given directly by the recursive definition of s(m, T). To bound r, consider 
that at each step in the recursion, unless [L, u] indexes a node in 7", the tree T' has at most half the number 
of leaves of the smallest subtree of T that contains u as a leaf. Initially the smallest subtree that contains u 
as a leaf has number of leaves equal to the smallest power of 2 greater than or equal to m — L + 1, i.e. the 
number of leaves initially is 2^'^°s(u-l+i}-\ rj,^^ 

recursion stops when we reach a tree with only a single node, 
and, therefore, we make at most [log(w — i + 1)] recursive calls. The bound on r follows. 

The condition that all nodes are left siblings follows from the fact each node is indexed by an interval 
that contains the leftmost leaf of the current subtree. 

Finally, notice that the only way to pick two nodes on the same level is if after picking u' , in the next 
step of the recursion we pick the root of T' . However, in this case we would have picked the parent of [L, u'] 
instead of [L,u'], a contradiction. □ 



ChernofF Bound for Laplace Variables Wc will use the following Chernoff bound for sums of independent 
Laplace random variables. 

Lemma 2. Let si,...,s„ be independent Laplace random variables such that Si ^ Lap(6i). Denote S = 
and a = V^EiLi^i- /"^ ^ < ^"''"'^ ^A\S\ > t<j] < 2exp{0.75X'^a'^ - Xta). 

Proof. We use the standard technique of bounding the moment generating function of S and applying 
Markov's inequality. Details follow. 

Since the distribution of S is symmetric, we have Pr[|S'| > ta] = 2Pr[S' > ta]. For any A, we have: 

Pr[S' > ta] = Pr[e^^ > e^*"] 

For A < 1/bi, the moment generating function of the Laplace random variable is E[e'^'''] = 1/(1 — X^bj). 
Assuming Xbi < .75, we have 



Substituting into ([T]), we get 



Pt[S > ta] < exp(--A2 ^ b^ - Xta), 



as desired. □ 



3 Upper Bounds 
3.1 Window Sum 

A key observation for computing window sums with error polylogarithmically bounded in W is that, unlike 
with running sum, only the lowest log + 1 layers of the dyadic tree are necessary to compute window sum. 
However, if we keep a dyadic tree for every window of size W, each update will contribute to more than W 
variables, resulting in data structures with large sensitivity, which, for differential privacy, translates into 
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Ti = r(l, W) = T(l, 4) 



T2 = T(W + 1, 2W) = r(5, 8) 
■=58 = ^5 + ^6 + ^7 + ^58 



C12 = 3:^1+3^2+^12 



C34 = 2:3 + a;4 + ^34 



C56 = 3:5 + ^6 + =56 



^78 = + 



[1,2] 



[5.6] 



[7.8] 



ci =xi+zi 



-=2 = ^2 + ^2 c3=x3-+-5:3 



C4 = 0:4-1-2:4 



>=^5+=5 



'^6=^6 + ^6 C7 = a;7-h27 



<- 



W = 4) = C14 - (ri2 + , 3) + (csjj + cy) 
> 



Figure 2: Window sum for a window size W = A. This example illustrates the algorithm at time i = 7, and 
the output is E^(7,W = 4) = s{W,Ti) - s{3,Ti) + s(7,7^) = - (ci2 +C3) + (cse + C7) = a;4 + + + 
X7 + zi4 — Z12 — Z3 + 2,56 + -2:77 where denotes the noise at node [I, u]. 



Algorithm 1 WindowsSum 

For fc > 1, define Tk = T((fc - 1)W + 1, kW), with all Ci„ initialized to Lap((log + l)/e). 
for all inputs x, do 

add a-i to all in Tfi/vy] such that i £ [i,it]. 

output: F^{i, W) = s((fc - l)W,Tk-i) - s{i - W,Tk-i) + s{i,Tk), where k = \i/W]. 
end for 



more noise. Our main idea is that instead of keeping a dyadic tree for every window, we can divide the input 
into blocks of size W, and view the windows that span two blocks as the union of a suffix and a prefix of 
two blocks. 

The algorithm WindowSum is shown as Algorithm [TJ In the remainder of this section we assume that 
W is an exact power of 2. 

Theorem 3. WindowSum satisfies e- differential privacy, and achieves (S,j)-utility with 

('o(ilogi-^M/log°-^i), logVF>logi 
\0(ilogIFlogi), logVF<logi 

Furthermore, WiNDOwSuM can be implemented to use 0(W) words of space and to run in 0(log VF) time 
per update. 

Proof. Privacy. Observe that any variable q„ used to compute Fw{j,W) satisfies I < u < j. Therefore, 
the counters q„ that contribute to Fw ( j, W) will not be updated after time step j and F^ (j, W) will be 
identically distributed if it is computed at any time step T > j, so for the analysis we can assume that 
all outputs are produced at time step T. Next we fix T and argue that WindowSum is e-differentially 
private for inputs of size T. Since the choice of T is arbitrary, privacy for all T follows. For this purpose, 
let c(x) be the vector of the values of all variables (in an arbitrary order) ciu such that u < T when the 
input is X ~ (xi, . . . ,xt). Let also Cq(x) be c(x) with the initializing Laplace noise removed. Since each Xj 
contributes to exactly log + 1 variables c;„ 

e [T], V.T^- e [0,1] : \\cq{xi, . . . ,Xj, . . . ,xt) - Cq{xi, . . . ,x'j, . . . ,xt)\\i < logVF + 1. 

Differential privacy of c(x) follows from above and Theorem[T] Since the sequence of outputs of WindowSum 
up to time step T is a deterministic function of c(x), privacy of WindowSum follows. 

Accuracy. It is easy to see that ¥,F^{j, W) = F^{j, W). By Lemma[l] for each k and each u, s{u, Tk) is 
the sum of at most log IF^ random variables, each with variance 2(logVF + l)^/e^. Therefore, the standard 
deviation a of F^{j, W) is 0(log^-^ W/e). 
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Algorithm 2 AllWindowSum 

Initialize T = 7~(1, 1), with ci.i initialized to Lap(l/ei). 
for all updates Xi do 

if the rightmost leaf of T is z — 1 then 

Grow T so that T = 7~(1, 2(z — 1)), adding additional nodes and variables as necessary; initialize new 
variables at level k to Lap(l/efe). 

Add the value to the root variable ci 2(i-i), where is the value of q„ without the Laplace 

noise, 
end if 

Add Xi to all ciu in such that i e u]. 

Let W = 2ri°g^l. At time step j, output F'^{j,W) = s{{k - l)W,Tk-i) - <J - W,Tk-i) + s{j,Tk), 
where k ~ \j/W'~\ . 
end for 



We consider two cases. For the first case, let t = 2y^ln(l/7) and A = (j)-^ for a constant (j) to be 
determined later. By Lemma [2l as long as A < 0.75e/ {\ogW + 1), we have that PT[\Fw{j, W) — F^{j, W)\ > 
C y^log{l/j)<7] < 7 for some fixed constant C that depends on (jj. A calculation shows that as long as 
logW > log(l/7); the minimum value of such that the constraint on A holds can be bounded below by a 
constant. This completes the analysis of the first case. 

For the second case, when logW^ < log(l/7), we set the following parameters: 77 = logj^j-j^^^-) In 

(notice that 77 < 1): i = C'^^4i=, and A = = — "VinW where C" is a constant chosen so 

that A < 0.75e/(logW^ + 1) holds. Applying Lemma [21 we have that for a value C that depends on C", 
PriS" > CMog(l/7)logW^] < exp(17(t2/(2-')))) = exp(-l](ln I/7)). 

For the running time and space complexity analysis, notice that each update requires accessing 0(log W) 
nodes, and that only the last two dyadic trees need to be stored. □ 

We can also show that we can approximate window sums simultaneously for all window sizes and preserve 
privacy under continual observation. Our approximation is different for different window sizes W ^ and for 
any particular W , it is almost the same as that of Theorem [H Details can be found in Appendix H) 

4 Window Sum Simultaneously for all W 

Here we give an algorithm that works simultaneously for all window sizes. Our main observation is that 
if for window size W we divide the input into blocks of size W g 2W] instead of exactly W as in 
WiNDOwSuM, then we can store all necessary dyadic tree datastructures as subtrees of a single dyadic tree. 
However, storing the whole dyadic tree with the same noise at any level will result in error of size r2(log^'^ T) 
for all W. Instead, we want to make sure that within a subtree of height h, the noise added to any variable 
is proportional to h. To achieve this, we use a different privacy parameter at level k of the dyadic tree 
and ensure that the sum of privacy parameters converges to e. 

Let /3 > 1 be a parameter and ({■) be the Riemann zeta function: — ■ ^'^^ — '^(^yg^- The 

algorithm AllWindowSum is shown as Algorithm O Proof of theorem below is analogous to Theorem [31 

Theorem 4. There exists a constant K s.t. AllWindowSum satisfies e- differential privacy and achieves 
{5,^) -utility, where 

('0(ilogi-^''M/log°-^i), logM/>Xlogi 
\0(ilog^M^logi), logI^<inogi 

Furthermore, the algorithm can he implemented to use 0(T) words of space and run in 0{logT) time per 
update on inputs consisting of T updates. 

Proof. Privacy. The proof of privacy is analogous to the proof of privacy for Theorem [3l but we treat 
different levels of T separately and use Theorem [21 to bound the total privacy loss. More precisely, we show 
that level k in the tree satisfies es;-differential privacy and use the fact that J2l°=i = £■ 
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Algorithm 3 ExponentialSum 



Set A = 



Initialize T = 7~(1, 1), with ci^i initialized to Lap(A/e) 
for all updates Xi do 

if the rightmost leaf of T is i — 1 then 

Grow T so that T = 7~(1, 2(i — 1)), adding additional nodes and variables as necessary and initializing 
new variables to Lap(A/e). 

Add the value a*~^c5 to the root variable Ci 2(i-i) , where c^^ is the value of q„ without the Laplace 
noise, 
end if 

for all [l,u] such i G [l,u] and the node indexed by [l,u] is a left node do 

add Xia"~^ to q„ 
end for 



Utility. The utility analysis is also analogous to the proof of Theorem[3l noticing the following facts: (1) 
W < W < 2W; (2) as an upper bound on the variance of any variable used to compute F'w{j, W) we can 
use the variance of variables at level log W' + 1, which is 0(log^ W). The rest of the proof is unchanged. □ 

4.1 Exponential Decay 

While for the window sum problem we keep a sequence of dyadic trees, for the exponential decay problem we 
keep a single dyadic tree that grows over time. The main property of exponentially decaying sums that we 
use is that if Si is the exponential decay sum over a time interval [a, & — 1] and 52 is the exponential decay 
sum over a time interval [h, c], then a'^~^^'^Si + iS'2 is the exponential decay sum over the time interval [a, c]. 
Thus at a node in the dyadic tree that is indexed by interval [I, u] we can keep the exponential decay sum for 
that interval. However, doing this for every interval results in a data structure with unbounded sensitivity. 
We update only the left nodes in the tree and show that we can bound the sensitivity in that case. 

The ExponentialSum algorithm is shown as Algorithm |3l We analyze the algorithm for a G (2/3, 1); 
observe that when a < 2/3, the range of the Fe is [0,3], and, thereofore, achieving (1.5, 0)-utility is trivial. 
Thus a — > 1 is the interesting regime for approximating Fg. 

The following lemma is useful in the analysis. 

Lemma 3. For an arbitrary i, let [Zi,ui], [/2JW2], . . . be the sequence of intervals such that\fk : i G [lk,Uk] and 
[Ik, Uk] is a left node. Assume the intervals are ordered in ascending order of Uk — Ik- Then Uk — i> 2^^^ — 1. 

Proof. By induction. The base case is trivial, as from i G follows mi — i > 0. For the inductive 

step, it suffices to show that Uk — Uk-i > 2'"'"^. By the construction of T, all nodes indexed by intervals 
u] such that i G [/, u] lie on the path from the leaf indexed by i to the root of T. Therefore, all nodes 
indexed by [Ik, Uk] for some k are ancestors of i, and, by the construction of T we have Uk — h + ^ > 2''~^; 
in particular, [Zfe,Ufe] is an ancestor of [lk~i,Uk-i] and Uk-i — Ik-i + 1 > 2^^^. By assumption, all nodes 
indexed by [lk,Uk\ are left nodes; let the right sibling of [lk-i,Uk-i\ be the node indexed by [4-ii"fc-i]- 
By construction, u'i^_^ — = Ufc-i — Ik-i and the parent of both nodes is indexed by [lk-i,u'j^_^]. All 
ancestors of [lk-i,Uk-i] arc indexed by intervals that contain [Ik-i subinterval, and, therefore. 



output Fe{i,a) = X^Lo Cufc,Ufc 



a- 



j-"fc+i 



end for 




This completes the inductive step. 



□ 
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Theorem 5. Assume a £ (2/3,1) and let K he a universal constant. ExponentialSum satisfies e- 
differential privacy and achieves (S,"/) -utility with 

lo(Mog^logi), log ^< log i 

Furthermore, ExponentialSum can be implemented to use O(logT) words of space and to run in O(logT) 
time per update on inputs consisting of T updates. 

Proof. Privacy. It is sufficient to fix T and argue tliat ExponentialSum is e-difFerentially private for 
inputs of size T when all outputs for j <T are produced at step T. 

We analyze the sensitivity of T. Define Co(x) as in the proof of Theorem [3] and [^2,1*2], ■ • • as in 

Lemma [21 We have 

00 00 



\\co{xi,...,x^,...,xt) -co(xi,...,1 -Xi,...,XT)\\i < X!""'' - X!"" 

fc=l k=l 



00 

< > a" = -y a^' 

a 

k=l k=0 

< - + - I a'^'^dx 



a a 
1 1 



a a In 2 

ln2 + ^i(lnl) 
a In 2 



dt 



(2) 



Here Ei{x) = Ei{x) = Wc have the following series expansion for Ei, which converges for all real 

\x\ < TT P564] : 

E,ix) = -v-lnx + Y^ ^ , (3) 

fc=i 

where 77 is the Euler-Mascheroni constant. Since, by assumption, a > e~^, we have In ^ < 1. For x < 1, the 
last term in ^ is bounded by 77 + -Ei(l) = 1] + h- Therefore, we have, 

-Ei(21n-) < -Inln- + - 
a a 2 



For X 6 (0, 2), we have the following series expansion for Inx: 

lnx = :E-l-^ ^ ' . (5) 



k 

k=2 

Since by assumption 1/a — 1 < 1/2, we have ln(l/a) > (l/a — l)/2. Substituting in we get 

, 1, 1 1 2a 1 

E,{\n-)<\n— + -= \n- + - 6 

a ^ 1 — a I 

2a. 

Substituting ^ into © gives us the following bound on sensitivity: 

|jco(a;i, . . . ,a;i, . . . ,xt) - Co(xi, . . . , 1 - x^, . . . ,xt)||i 
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Algorithm 4 PolynomialSum 



SetA = i2S(M^+ 1. 

Start an instance of WindowSum for input xi, . . . with window size Wi = 6(1) and initializing noise for 
each variable Lap(A/e). Set j* — 1. 
for all updates Xi do 
if i = b{j*) + 1 then 
Set j* =3* + 1. 

Start a new instance of WiNDOwSuM with window size Wj* = h{j*) — b{j* — 1) and and initializing 
noise for each variable Lap(A/e). 
end if 

for all k < j* do 

Update the fc-th instance of WindowSum with input (1 - l3)''~^x^_^f:_i) 
end for 

Output Fp{i, c) = J2j>o:b{j)<t - l^y^i^ •■•,(!- f3yx,_b(j),Wj+i). 

end for 



By Theorem [T] and 0, ExponentialSum satisfies e-differcntial privacy. 

Accuracy. Clearly, EFeQ', a) — F(.{i,a). Next we upper bound , the maximum variance of F{j,a) over 
all j. By Lemma [21 all intervals [l,ui], [mi,W2], . . . , [ur,j] correspond to nodes in distinct levels of T, and 
therefore have sizes which arc distinct powers of 2. We have, for some fixed constant C, 

/ log \ 2 oo 

ae I a'^ 

^ 1=2 

\ ae J 

The proof can be completed analogously to the proof of Theorem |31 □ 




4.2 Polynomial Decay 

Unlike the running sum, window sum, or exponential decay sum problems, there is no easy way to combine a 
polynomial decay sums over intervals [a, &— 1] and [6, c] into a polynomial decay sum over [a, c]. Therefore, our 
techniques for estimating polynomial decay sum are considerably different. On a high level, we approximate 
the polynomial decay function g{i) = (i + 1)~° by a function g' that is constant on exponentially growing 
in size intervals. Then we can approximate the decay sum induced by g' by running multiple instances 
of our window sum algorithm in parallel. This technique results in a bi-criteria approximation, i.e. our 
approximation guarantee has both a multiplicative and an additive approximation factor. As c — > 1 (i.e. as 
the range of the polynomial decay sum grows), the additive approximation factor remains bounded and 
is dominated by /3~^, where (1 ± /3) is the multiplicative approximation factor. Thus the approximation 
guarantees for our algorithm are mostly determined by a trade-off between additive and multiplicative 
approximation. 

For a given polynomial decay function g = (i + 1)""^ and the induced decay sum F, let us a fix a 
multiplicative error parameter /3 and define a function & as Vj > 1 : b{j) = max{i : g{i) > (1 — and 
&(0) = 0. Intuitively g{i) is almost constant for i G [b{j — 1), b{j)). 

We can now define a function g' that approximates g: Vi G [b{j — 1), b{j)) : g'{i) = (1 — /3)-'^^ Let F' be 
the decay sum induced by g' . From the definition of g' it is immediate that Vj, Vx S {0, !}■' : (1 — f3)F{j) < 
F'ij) < F{j). 

The PolynomialSum algorithm is shown as Algorithm m Note that we call the j-ih instance of WiN- 
DOWSUM with input consisting of time updates in {0, (1 — (3y^^}. It is straightforward to check that the 
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WiNDOwSUM algorithm can handle such scaled instances without modification. Note also that we modify 
the WiNDOwSUM algoritlim slightly by adjusting the magnitude of noise added to the variables associated 
with the dyadic trees kept by WindowSum. 

Theorem 6. PolynomialSvm satisfies e-differential privacy, and for any j, with probability 1 — j , we have 
(1 - l3)Fp{j, c) - 0{S) < Fp{c) < Fp{j, c) + 0{5), where 

1 log^)'-'log°-5i ,/ 1 log^>logi 



S = { \^ ° 1-/3 / ° 7 ■' ° 1-/3 ° 7 

¥SF^logT3?log^ */ log < log i 



Furthermore, PolynomialSum can be implemented to use 0{T) words of space and run in 0(log^ T/ log(l/(l- 
/?))) time per update on inputs consisting of T updates. 

Proof. Privacy. The privacy analysis is analogous to the analysis in the proof of Theorem [31 but we bound 
sensitivity over all instances of WindowSum. Due to the scaling of the input, the sensitivity of the j-th 
instance of WindowSum is bounded by (1 + /3)-'"^(log VFj- + 1). Let us first bound Wj. Observe that 
b{j) = Ig-^{{1 - f3y\. For g{i) ^ {i + 1)^^ we have G [(1 - P)-^/"^ - 2, (1 - /3)-^/'' - 1]. Then Wj can 
be bounded as Wj = b{j) - b{j - 1) < (1 - - (1 - /3)-(J-i)/'= + 1. Since 1 - /3 < 1 and j > 1, we have 

Wj < (1 — We can then bound the overall sensitivity is by 

oc OO oo 

5: (1 - py-' log w, + ^ (1 - (3y <J2{i- py-' log — i-^ + i 

3 = 1 3=0 3 = 1 ^ ' ' ^ 

Theorem [T] and ([5]) complete the privacy proof. 

Accuracy. Note that KFp{j, c) = F'{j). The variance of Fw{{l — I3yxi,(^j-j, . . . , (1 — (3yxk, Wj) is at most 
2(1 — /3)^-' log Wj. Therefore, the total variance cr^ of Fp{j, c) is 

1 1 °° 




1-^, 

Using Lemma [5] as in Theorem |3] we can show that for any j, with probability at least 1 — 7, 

fnff 1 ioe:^)i-5log°-^ i) if 1 log ^ > be ^ 
[O(^log^logi) if -1^ log ^ < log i 

Since for all x and all j, (1 — (3)F{j) < F'{j) < F{j), this completes the proof. □ 

This algorithm can more generally be used to compute a private (under continual observation) approx- 
imation to a decayed sum F induced by a decay function g as long as g~^ grows subexponcntially. In this 
case sensitivity remains bounded and the additive error guarantee is dominated by a function of /3, but the 
exact function depends on g. The algorithm is not applicable to the window or running sum problem, since 
for them g~^ is not well defined; the guarantee for exponential decay sum is incomparable with the one in 
Theorem [5l 
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5 Lower Bounds 



Wc give a general framework for fower bounding the dependence of the error 6 on the error probabiUty 7 
for algorithms that are private under continual observation and achieve {6, 7)-utility. We also instantiate 
the framework with a construction that yields concrete lower bounds for the three decay sum problems 
considered in this paper. As far as the dependence on error probability is concerned, our lower bounds for 
window and exponential decay sums are tight. Our lower bound for polynomial decay sums is against a 
purely additive approximation and is not directly comparable to the upper bounds on the approximation 
factors of our algorithm. 

Suppose that for a fixed error probability 7, we want to prove a lower bound on S for any e-differentially 
private algorithm that achieves {S, 7)-utility with respect to a function F(xi, . . . , Xj) Wc can take 7 = 2/3(7, 
and it follows, by the union bound, that for any set Q C [n] of size q, with probability 2/3, the algorithm is 
within an absolute error S from F{xi, . . . ,Xj) for all j G Q. Assume that for some T we can construct + 1 
instances x°, . . . , x^, each of length T, that satisfy the following properties: 

1. [Q, 5) -independence: for all a,b E {0, . . . , N},a 7^ b, there exists some j Q T such that 
\F{x-,,...,x'^)-Fixl...,x''j)\>2S. 

2. D-closeness: for all a, 6 £ {0, ...,A^}, we have (iH(x",x^) < D, where dn is the standard Hamming 
distance. 

Lemma 4. Assume there exists an e-differentially private algorithm A that at time step j outputs F{xi , . . . ,Xj). 
Assume further that for any Q C N, \Q\ = q, we have Pr[Vj G Q : \F(xi, . . . ,Xj) — F{xi , . . . ,Xj)\ < (5] > 2/3. 
If for some Q there exists a set {x°, . . . ,x^} that satisfies {Q ^ 5) -independence and D-closeness with respect 
to F, then D > '"^+'"^ 

Proof Let B(x*) = {f ; \f^ - F{x{, . . . , x])] < S}. By assumption, Pt[{F{x\, . . . , xi))J^^ £ B(x*)] > 2/3. 
Then, by the definition of differential privacy and I?-closeness, we have 

Vz : Pr[{Fixl...,x°))J^, 6 B(x'0] > £-^^2/3. 

By (g, J)-independence, B(x") n B(x'') = for all a ^ b. Therefore, 

N N 

Pr[(F(z°,...,x°))J=i G Ub(x'0] =5]Pr[(/'(x;,...,x°))Jli ei?(x')] >^e-^2/3. 

4=1 1 = 1 

However, since i?(x°) n IJili S(x*) = 0, by the assumptions on A we have 

N 

Pr[(F(x°,...,x°))J=iGUi?(x*)]<l/3. 

i=l 

Therefore, 2A^ < e'^, and the lemma follows by taking logarithms. □ 

In order to apply LemmaSl we need a method to construct a set of instances satisfying (Q, (5)-independence 
and _D-closeness for a given error bound S, such that D is upper bounded by a function of S and A^ is lower- 
bounded by a function of \Q\. Wc show a construction that allows us to derive a lower bound for any decayed 
sum problem, where, naturally, the form of the lower bound depends on the specific problem, i.e. on the decay 
function g. As corollaries, we derive specific lower bounds for the problems we consider in this paper. In 
our construction, the set of vectors {x^jf^g is defined as x" = (O^^) and x* = (O^'-^)^, 1^, O^*"')^). We set 
Q ^ {j : D divides j} and choose 6 according to the specific decay function g. Consider a general decayed 
sum function F{xi, . . . ,Xj) with a decay function g. The construction gives our main lower bound theorem. 

Theorem 7. Assume there exists an e-differentially private algorithm A that at time step j outputs F{xi, . . . ,Xj) 
and achieves {6, j) -utility with respect to a decayed sum function F induced by g. Denote G{x) = X]i=o^ff(*)- 
Then 5 > iG(17(i2l(iZ2) )). 

For the three problems considered in this paper we derive the following corollaries. 
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Corollary 1. Assume there exists an e- differentially private algorithm A that at time step j outputs F.w{j, W) 
and achieves (S,^) -utility with respect to Fw{j, W). Then, S > ^min '°s(i/7) |^ ^ 

Note that the lower bound of [DPNRIO] is a special case of the above corollary for 7 = 2/3W = 2/37. 

Corollary 2. Assume there exists an e- differentially private algorithm A that at time step j outputs Fe{j, a) 
and achieves {5, ^) -utility with respect to Fg{j, a). Then, for a e (2/3,1) we have 5 >Vl ^min | j^r^, i2s(i/7) |^ 

Corollary 3. Assume there exists an e- differentially private algorithm A that at time step j outputs Fp{j, c) 
and achieves (5,^)-utility with respect to Fp{j,c). Then, S > iJe(^( '°^^^^'''^ )) > ^1 — iog'^~^(i/7) ) ' '^^^''^^ 
Hc{k) is the k-th generalized harmonic number in power c. 

6 Extensions and Applications 

Algorithms for sum problems can be used to compute more sophisticated statistics as we described earlier. 
In this section we exhibit a few extensions and applications of our algorithms. We show how they can be 
used to compute sums over individual predicates and some special cases of sums over holistic predicates, 
including distinct counts which is of great interest. We also show how to compute histograms (over windows 
or decayed). In the following discussion we denote an arbitrary universe as U. 

6.1 Individual Predicates 

We define an individual predicate abstractly as a function V : U [0,1]. Let the input at time step i be 
Ui, where Ui £ U. The decayed predicate sum for an individual predicate V and decayed sum function F 
then is F{V(ui), . . . ,'P{uj)). Differential privacy and utility for predicate sums can be defined analogously 
to decayed sums. The following claim is immediate for individual predicates: 

Theorem 8. Let A be an e- differentially private algorithm that achieves (5,"/) -utility with respect to a 
decayed sum F. Then, on input 'P(ui), . . . ,V{ut), A is e- differentially private with respect to ui, . . . ,ut 
and and achieves {S,^)-utility with respect to the decayed predicate sum for V and F. 

6.2 Holistic Predicate Sum 

Individual predicates are limited in that they can depend only on a single update Ui rather than the whole 
sequence of updates. Here we define the more general notion of holistic predicates and treat the special case 
of low-sensitivity holistic predicates, with the distinct count problem as an important application. 

A holistic predicate is a function V :IA* ^ [0, 1]. The decayed predicate sum for the holistic predicate V 
is F{V{ui),...,V{ui,...,Uj)). 

Let us call a holistic predicate k-sensitive if for any sequence of updates ui, . . . , ut, any j 6 [T] and any 
u'j G U, the sequences V{ui, . . . , Uj), . . ., V{ui, . . . ,Uj, . . . , ut) and V(ui, . . . , u'^), . . . , V(ui, . . . , u'^, . . . , ut) 
differ in at most k components. The following theorem follows from the basic properties of e-differential 
privacy (proof omitted). 

Theorem 9. Let A be an e- differentially private algorithm that achieves (S,j)-utility with respect to a 
decayed sum F. Then, when given input V{ui), . . ., 'P{ui, . . . , ut) for a k-sensitive holistic predicate V , A is 
ke-differentially private with respect to ui, . . . ,ut and and achieves {5, ^) -utility with respect to the decayed 
predicate sum for V and F . 

We can show that the fundamental distinct count problem can be encoded as a 2-sensitive holistic 
predicate. In the distinct element count problem the input is a sequence of updates ui, U2, . . ., and at each 
time step j the goal is to approximate the number of distinct elements seen so far, i.e. \{u E U : 3i < 
j s.t. Ui = u}\. This problem is equivalent to a predicate sum problem where F is simply the running sum 
function, and 'P{ui, . . . ,Uj) is when 3i < j : Ui = Uj and 1 otherwise. The proof of the following lemma is 
deferred to the full version of the paper. 
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Lemma 5. The predicate 'P(ui, . . . , Uj) = < j : Ui = Uj) is 2-sensitive. 

Then, by Theorem IH] and the algorithm of Dwork ct al. |DPNR10] for the running sum problem, we have 
the following result: 

Theorem 10. There exists an e- differentially private algorithm that achieves {5,^) -utility for the discrete 
element count problem with 5 — 0(log^'^ Tlog"'^ i) (in the case logT = w(log ^)) or 5 = 0(log Tlog i) (in 

the case logT — 0(log i) ), where T is the number of updates. 

We leave open the problem of designing a private algorithm for estimating, at each time step, the number 
of distinct elements seen over the last W updates, with absolute error polylogarithmic in W . 



6.3 Histograms 

Consider a situation in which each update can belong to one of several categories. More formally, let the 
update at time step i be {ui, Xi) S [0, 1]. Let x(u, j) be x restricted to all components Xi for i < j such that 
Ui = u. Then, at time step j, the algorithm outputs a vector y{j) € M'^, where yu{j) is an approximation to 
-F(x(u, j)), for some decayed sum function F. We call this the decayed histogram problem for F. Differential 
privacy under continual observation for decayed histogram problems can be defined analogously to decayed 
sum problems. 

Given an algorithm to approximate a decayed sum, it can be easily extended to an algorithm for the 
corresponding decayed histogram problem. 

Theorem 11. Let A be an e- differentially private algorithm that achieves {5,^)-utility with respect to a 
decayed sum F . Then, there exists an e- differentially private algorithm A! that uses A as a black box and 
for each j and each u satisfies Pr[|?;„(j) — i^(x(u, > (5] < 7. 

7 Conclusion 

We were inspired by the recent work on differential privacy of data analysis with continual updates [DPNRlOl 
ICSSlOa] , a research direction motivated by monitoring applications. However, our observation is that in mon- 
itoring applications typically recent data is more important than distant data. Hence, we need analyses that 
are accurate on the most recent window of data or data where past is decayed (polynomially or exponentially, 
as is common in database streaming). 

We presented upper and lower bounds for a general class of functions — predicate sums — on window 
and decayed data. We derived our upper bounds by balancing noise at different levels of a tree atop the data 
in a nontrivial way, and derived lower bounds by inspiration from work on privacy of optimization problems. 

There are many analyses of great interest on decayed data with differential privacy that remain open. 
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